I work on a small network that runs on windows server 2003, and with machines running xp. Is there a group policy that could push a new user name and password to replace our old local administrator user accounts?

That will work if you have the Group Policy Preferences client rolled-out to your clients, or are using clients that have that functionality built-in. If you've got Windows 2000 or Windows XP w/o the GPP client installed, though, you're out of luck with this method.
–
Evan AndersonJun 10 '09 at 18:02

By default the policy value will be readable by anyone in the domain. The password will be in that file, and while it is encrypted, the key used to encrypt the password has been published.
–
ZoredacheFeb 14 '13 at 0:25

I use a computer startup script to do this for local "Administrator" passwords, combined with a "trap door" group membership so that the script only runs once.

Create a group in the AD - "Local Administrator Password Set". Modify the permissions on the group to allow "Domain Computers" to "Add/Remove Self as Member".

Create a new GPO, "Set Local Administrator Password" and link it wherever you want in the directory. Modify the permission on the GPO to DENY "Apply Group Policy" to members of the "Local Administrator Password Set" group. Remove the "Authenticated Users" from the stock permission and add "Domain Computers" with "Read" and "Apply Group Policy" permission.

But then the password is in plaintext...
–
K. Brian KelleyJun 10 '09 at 17:30

Readable by "Domain Computers", yes. Delete the script after it's run everywhere you want it to if you're worried about it. The password has to exist in plaintext somewhere, at least once.
–
Evan AndersonJun 10 '09 at 17:39

Password, no; you can, however, set the Administrator username using GP. It's under:

Computer Settings

Windows Settings

Security Settings

Local Policies

Security Options

Find the one called "Rename administrator account", and change it to whatever you want.

For re-setting the password, we've simply set them all on installation to ridiculously long strings, then created a "Workstation Admin" group in Active Directory; then, using Group Policy, go to:

Computer -> Windows -> Security -> Restricted Groups

Add the new group, and make them a member of "Administrators". So long as your PCs are joined to the domain, and you give your techies membership of this group, they can log on using their personal Active Directory accounts, rather than sharing a local administrator account (which gives you much more accountability!).

Your mileage may vary when using this technique on laptops or machines that are often disconnected from AD, of course.

I think what you are thinking of here is a the domain administrator's username change. I was looking for a group-policy that would push a local administrator and password to replace the original.
–
killamjrJun 13 '09 at 1:54

No, this setting also works for local Administrator account usernames - it applies to all computers affected by the policy. Unless you mean replacing the original administrator's profile with a template..?
–
Keith WilliamsJun 15 '09 at 11:35

You can attach a startup script for the computer account. This can check the existence of a user and if it's not there, create it. The catch is ensuring the password is encrypted in some manner. However, it sounds like you just want to rename the administrator account. If so, see Keith's response. You can rename via GPO and that's the way to go. Setting the password is more difficult and can't be done directly via GPO except through a startup script.